Recompile had no effect. Just for reference, how far along into the boot process should it ask for the password?

I also went to the grub command line and typed each command in to see if grub was finding the kernel and initrd.gz, seemed to be fine. I also saw no error messages during boot up until the kernel panic when it tries to find my root partition.

I am using ReiserFS for boot and root partitions, but I don't think that should matter.

I guess I am stuck at this point with an unusable system. I will try to unencrypt it and start the process over. At least then we will know how to unencrypt your root partition if the need ever arises.

If you know everything else is right then maybe it is the the old losetup that you are using. Knoppix is 3.1 works good.

LOSETUP makes a key from the pass phrase. I think old ones are different. The losetup that ram disk uses is the one that you made when you made util-linux as part of loop-AES. Can you use that one instead? It should work because its static.

I can't get on anymore until after school (im at home sneaking on at lunch) so I can't answer anymore for awhile.

a couple of comments:
you forgot to gzip the manuals
also you don't technicaly need to install the tools, just copy the static losetup to the boot partition after you make the initrd.

Also you can install gentoo from scratch onto an encrypted partition by booting from the knoptix cd. I can write out directions if anyone wants.

Performance wise, compiling a bzImage was about 1.5% slower on an encrypted file system than unencrypted. Note that the partitions were on different parts of the disk and I had more stuff installed on the unencrypted fs so it probably had greater fragmentation.

Another thing, does anybody know how to compile a static version of loadkeys that I can put in my boot partition so that it will load my keymap before the password prompt.

And yet another thing, in the loop-AES readme FAQ they mention setting a random seed for the encryption, you mention nothing of this in you howto, would it be more secure to use a random seed, how would I do this, do I need to reinstall?

-edit-
Also if you do this you should build usb in as a module so it dosn't bug you while your typing in your password

Ok boot into knoppix w/o the graphical
run losetup -e AES256 -T /dev/loop0 /dev/hda2 (or whatever is your root partition)
then do mke2fs /dev/loop0 (or whatever file system you want)
then mkdir /mnt/gentoo
and then mount /dev/loop0 /mnt/gentoo
and mkdir /mnt/gentoo/boot
and mount /dev/hda1 /mnt/gentoo/boot
then cd into /mnt/gentoo
and then extract whatever stage you want and procede from there following the instruction guide.
when you get to the kernel:

Quote:

You HAVE to use CONFIG_MODULES=y, CONFIG_BLK_DEV_LOOP=n (y or m WONT WORK), CONFIG_BLK_DEV_RAM=y, CONFIG_BLK_DEV_RAM_SIZE=4096, CONFIG_BLK_DEV_INITRD=y, CONFIG_MINIX_FS=Y (this is because the ramdisk is minix), CONFIG_PROC_FS=y plus whateve FILESYSTEM YOUR ROOT IS HAS TO BE Y (modules wont work because the kernel can't get modules from the root file system until it knows how to read it and decrypt it when it is booting, other stuff can be modules if you want). Make sure that your new kernel works before going further.

but instead of the normal last step:
cp -p /lib/modules/`uname -r`/block/loop.o /boot/loop-NAMEOFTHEKERNELYOUWILLBEUSING.o

and then do these steps
In the loop-AES directory edit build-initrd.sh. Change BOOTDEV, BOOTTYPE, CRYPTROOT, ROOTYPE and CIPHERTYPE to what you want. Then type sh build-initrd.sh . This makes a ramdisk so that the kernel knows how to get the pass phrase when you boot later.

The loop-AES README does mention stuff about creating a random seed, but it works fine without it. I think the seed is supposed to make it that much harder to brute force an attack, but since the seed would be easily available from the unencrypted boot partition, I don't really see the point. Although I am not an encryption guru so I may be misunderstanding.

Now I just have to figure out why my first attempt at converting an existing system didn't work. I think I am having some problems with GRUB and the initrd.gz file.

Also has anyone gotten the swap encryption working? The instructions in the README make it seem simple, but how can one verify if its working?

And what about crashes while running encrypted root filesystem? I suppose people out there are usually setting up encrypted FS on laptops. So, a crash example may be : running out of battery.

Did you experience some corrupted FS? And more important, did you recover your data without any problem?

I'm thinking installing this on my laptop but i'd like to know too if someone has tried to turn it of violently, make it krash, say, press Ctrl.Alt.PrtScr.B for exemple and experienced success reboot w/o problems or not.

I have turned off my computer a few times without shutting it down with an encrypted root. One time was with a kernel compiling. It rebooted ok. Root was a XFS file system. I don't know if it would always reboot ok.

I was wonderign waht would happen if turned my computer into a encytripted one, and say I wanted to send a file to a friend so that he could read it. Woudl all my friends be screwed and not be able to read files that i wanted them to?

I was wonderign waht would happen if turned my computer into a encytripted one, and say I wanted to send a file to a friend so that he could read it. Woudl all my friends be screwed and not be able to read files that i wanted them to?

No, the data in your filesystems would be encrypted, but is transparently decrypted as Linux or any of your applications access it, and encrypted again when it is written to disk. Hence your programs think they are dealing with unencrypted files, because they are, and your files would work fine on other computers.

Main reason I encrypt root is to keep ANYONE (mostly my brother) from booting my computer. If you dont encrypt root then peeps can use knoppix or other things to change root password and to steal your files. EVEN IF THEY PUT YOUR DISK IN ANOTHER COMPUTER like at a computer shop they cant get anything!

With encrypted root NOONE can take stuff or add stuff on your computer unless they find a way to break in when it is already running and if you have a good firewall and don't run anything that you dont need and keep up to date on portage/emerge then that probably wont happen.

It works good. Its hardly any slower (i thought it would be lots slower but its not) and it doesnt break even when computer crashes because of no power.

I trited booting from the Knoppix cd but once it trited to boot into K it got a error, and stopped booting. But I have trited using cool linux beofre and it worked fine. Could I just use cool linux insed since it works? I am not relly sure if it has loop-AES.

Quote:

4) The Knoppix (or Knoppix lite) CD from http://www.knoppix.net . Burn it to a CD and make sure you can boot from it. Knoppix is great rescue system and I use it it alot to fix stuff when I mess up bad. Knoppix comes with loop-AES already on it so you don't need to make your own rescue system.

I followed chadders instructions, well written by the way, and everything is great. As far as the performance goes I can see a small hit when playing videos, but that's about it. I rip DVD's to my hard drive so I can watch them when I travel without the disk. I was watching Office Space the other day and it got choppy in one or two places, but it was not unbearable. So, from my experience the file system takes a minimal performance hit that is only noticable when performing a function that requires heavy disk access.

I cant boot knoppix on my laptop because it uses a pcmcia cdrom drive. Does anyone know of a distro cd that includes the losetup with encryption that works well with laptops? Any help is greatly appeciated, I really want to encrypt my root partition._________________-- slickwheel

I've too problems getting the system to boot after the encryption.
I've set up everything as said and finally encrypted the partition (i can also mount it under knoppix) but when I reboot to my gentoo, it always says it can't mount the root-partition on 01:01.

The error looks like this: (sorry, the message is not copypasted, so the last line is not exactly the same as on my system, but the content is still the same *hmm, bad english*)

I've too problems getting the system to boot after the encryption.
I've set up everything as said and finally encrypted the partition (i can also mount it under knoppix) but when I reboot to my gentoo, it always says it can't mount the root-partition on 01:01.

The error looks like this: (sorry, the message is not copypasted, so the last line is not exactly the same as on my system, but the content is still the same *hmm, bad english*)

I had a similar problem, mainly it wouldn't find any sort of loop device...that wasn't getting loaded. It would complain about unable to mount /dev/hdb1 on /lib (/dev/hdb1 is /boot for me...?) and I gave up before i hosed my system.
I ended up unencrypting, and re-encrypting with the instructions in the loop-AES README file (that way you get the seed, as well) and I also recompiled my kernel to take out Mount devfs at boot (as I suspect that may not have been helping) before I re-encrypted, so I suggest trying those approaches. I would unencrypt, redo your kernel if you have devfs mounting at boot, and then either encrypt with these instructions or with the instructions in the loop-AES readme.

So, I did eventually get it working...now to encrypt my other partitions.
I hope that made sense, I'm tired and on percoset right now.

I'm on percoset right now (as i mentioned before) and i am having issues figuring out how to encrypt my other partitions and have them mount without asking me for a password for EVERY partition that I want to have encrypted (ideally all)

I am at a loss right now cause I can't think straight, anybody got a solution for me? I havne't found anything in the loop-AES readme that is really helping much...I've thought of
losetup -e AES256 -T -S `cat /boot/seed.txt` /dev/loop1 /dev/hdb5
and then dding the drive to the loop, and setting something or other up, but I'd like to encrypt those drives (preferably without data loss, although I can back it all up rather easily, I just would rather not) and I don't want to have to enter a password for each partition. I want them to "trust" the root decryption password I give on boot. One 20 character password is plenty on startup, thank you, heh

but then it wants a password, and I don't want to have to type my password in 3 times on boot.

First I wanted to say that I found this thread to be an excellent help when encrypting my root fs. Thanks guys.

A couple of points I wanted to post in the thread for anyone else who may run in to the same problems I had.

1) Make sure to read the README and the comments in build-initrd.sh, pay attention to the parts about using devFS (if you use devFS of course). I scratched my head for a couple days until I learned to read. For those wanting to skip to the good stuff.
Set these options in build-initrd.sh